CISA and the FBI urged software program firms on Wednesday to evaluation their merchandise and eradicate path OS command injection vulnerabilities earlier than transport.
The advisory was launched in response to latest assaults that exploited a number of OS command injection security flaws (CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887) to compromise Cisco, Palo Alto, and Ivanti community edge gadgets.
Velvet Ant, the Chinese language state-sponsored risk actor that coordinated these assaults, deployed customized malware to realize persistence on hacked gadgets as a part of a cyber espionage marketing campaign.
“OS command injection vulnerabilities come up when producers fail to correctly validate and sanitize person enter when developing instructions to execute on the underlying OS,” right this moment’s joint advisory explains.
“Designing and growing software program that trusts person enter with out correct validation or sanitization can enable risk actors to execute malicious instructions, placing clients in danger.”
CISA advises builders to implement well-known mitigations to forestall OS command injection vulnerabilities at scale whereas designing and growing software program merchandise:
- Use built-in library features that separate instructions from their arguments each time potential as a substitute of developing uncooked strings fed right into a general-purpose system command.
- Use enter parameterization to maintain knowledge separate from instructions; validate and sanitize all user-supplied enter.
- Restrict the components of instructions constructed by person enter to solely what is critical.
Tech leaders must be actively concerned within the software program improvement course of. They’ll do that by making certain that the software program makes use of features that generate instructions safely whereas preserving the command’s supposed syntax and arguments.
Moreover, they need to evaluation risk fashions, use trendy element libraries, conduct code opinions, and implement rigorous product testing to make sure the standard and security of their code all through the event lifecycle.
“OS command injection vulnerabilities have lengthy been preventable by clearly separating person enter from the contents of a command. Regardless of this discovering, OS command injection vulnerabilities—a lot of which consequence from CWE-78—are nonetheless a prevalent class of vulnerability,” CISA and the FBI added.
“CISA and FBI urge CEOs and different enterprise leaders at know-how producers to request their technical leaders to investigate previous occurrences of this class of defect and develop a plan to eradicate them sooner or later.”
OS command injection security bugs took the fifth spot in MITRE’s high 25 most harmful software program weaknesses, surpassed solely by out-of-bounds write, cross-site scripting, SQL injection, and use-after-free flaws.
In Could and March, two different “Safe by Design” alerts urged tech executives and software program builders to weed out path traversal and SQL injection (SQLi) security vulnerabilities.
